Callback phishing via Yammer comment

Detects callback scams sent through Yammer infrastructure containing suspicious payment-related keywords and phone numbers. The rule identifies messages with callback scam language patterns or multiple financial transaction terms combined with phone number patterns in the message body or subject line.

Sublime rule (View on GitHub)

 1name: "Callback phishing via Yammer comment"
 2description: "Detects callback scams sent through Yammer infrastructure containing suspicious payment-related keywords and phone numbers. The rule identifies messages with callback scam language patterns or multiple financial transaction terms combined with phone number patterns in the message body or subject line."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // message from Yammer sending infratructure
 8  and sender.email.domain.root_domain == 'yammer.com'
 9  and length(body.current_thread.text) < 2000
10  
11  // Callback Phishing
12  and (
13    any(ml.nlu_classifier(body.current_thread.text).intents,
14        .name in ("callback_scam")
15        and .confidence in ("medium", "high")
16    )
17    or 3 of (
18      strings.ilike(body.current_thread.text, '*purchase*'),
19      strings.ilike(body.current_thread.text, '*payment*'),
20      strings.ilike(body.current_thread.text, '*transaction*'),
21      strings.ilike(body.current_thread.text, '*subscription*'),
22      strings.ilike(body.current_thread.text, '*antivirus*'),
23      strings.ilike(body.current_thread.text, '*order*'),
24      strings.ilike(body.current_thread.text, '*support*'),
25      strings.ilike(body.current_thread.text, '*help line*'),
26      strings.ilike(body.current_thread.text, '*receipt*'),
27      strings.ilike(body.current_thread.text, '*invoice*'),
28      strings.ilike(body.current_thread.text, '*call*'),
29      strings.ilike(body.current_thread.text, '*cancel*'),
30      strings.ilike(body.current_thread.text, '*renew*'),
31      strings.ilike(body.current_thread.text, '*refund*')
32    )
33  )
34  // phone number regex
35  and any([body.current_thread.text, subject.subject],
36          regex.icontains(.,
37                          '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
38                          '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
39          )
40  )
41  // negate benign threads
42  and not any(ml.nlu_classifier(body.current_thread.text).intents,
43            .name == "benign" and .confidence == "high"
44  )  
45
46attack_types:
47  - "Callback Phishing"
48tactics_and_techniques:
49  - "Impersonation: Brand"
50  - "Out of band pivot"
51  - "Social engineering"
52detection_methods:
53  - "Content analysis"
54  - "Natural Language Understanding"
55  - "Header analysis"
56id: "66650e2b-b944-5e5e-89ef-790a941f534a"
to-top